Stefano Di Paola broke JSReg after I challenge everyone on the web app sec list. I've since patched JSReg and remove callee, caller and prototype. I know that removing these features limits the javascript available in the sandbox but I don't care I'd rather secure it then work out how to use the features safely. His vectors are awesome btw.

JSReg now returns strings/objects/regexps as is, it no longer rewrites them. I still match but this results in much faster performance.

check it out:-

Quote
you call, I execute. :)

== Firefox:
6 examples for the same concept: use constructor with nested call
abusing caller to get Function native reference.

Awesome vector it proved very difficult to write a regex to match that

@kangax

The toString hasOwnProperty should be ok now but this has been modified into a safe property. Mario found that valueOf leaked the window because I allowed valueOf properties to allow object literals to use it but this is dangerous and so I disable toString and valueOf.

I modified the "for in" code because rewriting to while loops to prevent client side DOS was causing errors. At the moment JSReg requires a full block loop like for(var p in o) { alert(p); } this is because I have to match the beginning of the loop and inject $p$=($p$+'').replace(/^[$]/,'').replace(/[$]$/,''); Currently the DOS protection is flawed too it requires some work :(

Quote
({})[/\u0027/];

Extremely nice! This one is because Firefox and maybe others transforms escapes when calling new Function. I use new Function to check syntax before and after converting

Thanks! Cool. Yeah array detection is tough because even though I can detect the "[" fairly reliably the closing "]" is very difficult because it occurs in the same pattern if an array or object accessor. Oh and detecting everything from "[" inside to "]" is pretty impossible using js regexes

Updated
--------

Fixed it with a bit of a hack, I dunno if this is gonna be possible but I'll persist. I scan backwards up the parse tree to see what has been match to decide if it's a closing array or obj access